Athena

API Keys

Manage AthenaApiKeyRight and AthenaApiKey resources, including secret writing and rotation behavior.

athena-operator can manage both Athena API-key rights and Athena API keys:

  • AthenaApiKeyRight is cluster-scoped
  • AthenaApiKey is namespaced

Important Security Behavior

  • Athena returns the raw API key only when the key is created
  • the operator writes that raw key into the Kubernetes Secret named by spec.writeSecretRef
  • the raw token is not stored in the resource .status

1) Create A Right

This step is optional. It is useful when you want a standard catalog of rights managed through CRDs instead of hand-created remote rights.

kubectl apply -f config/samples/athena_v1alpha1_athenaapikeyright.yaml

2) Create An API Key

kubectl apply -f config/samples/athena_v1alpha1_athenaapikey.yaml

3) Verify The Secret Was Written

The sample writes to Secret/default/example-operator-key:

kubectl get secret example-operator-key -n default -o yaml

4) Rotate A Key

To force rotation, change spec.rotateToken to a new value and re-apply the resource.

Example:

rotateToken: "v1"

to:

rotateToken: "v2"

The operator will delete and recreate the remote key, then update the Kubernetes Secret.

5) Gotcha: Existing Remote Key But Missing Secret

If the key already exists remotely in Athena but the Kubernetes Secret is missing, the operator cannot reconstruct the raw token.

The fix is to rotate the key by changing spec.rotateToken.

Create An AthenaClient

Create a database-backed AthenaClient resource and the secret it depends on.

Troubleshooting

Common athena-operator failure checks, log paths, and namespace gotchas.

On this page

Important Security Behavior1) Create A Right2) Create An API Key3) Verify The Secret Was Written4) Rotate A Key5) Gotcha: Existing Remote Key But Missing Secret